• by Wendy Davis  @wendyndavis, September 26, 2022

Authorities in the United Kingdom have made “provisional” findings that social media service TikTok violated children's privacy laws, the UK Information Commissioner's Office said Monday.

If regulators conclude that TikTok has violated the UK's privacy code, the company could be fined up to around $28 million.

“We all want children to be able to learn and experience the digital world, but with proper data privacy protections,” Information Commissioner John Edwards stated Monday. “Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement.”

The Chinese-owned company may have violated the children's privacy rules in several ways, including by processing data of children under 13 without parental consent, and processing “special category” data -- such as biometric information or data revealing race or ethnicity -- without legal grounds.

The potential violations occurred between May of 2018 and July of 2020, according to the Information Commissioner's Office. The agency added that it hasn't concluded TikTok violated the law.

In the US, TikTok agreed in 2019 to pay $5.7 million to settle an FTC complaint alleging the company violated the Children’s Online Privacy Protection Act, which prohibits website operators from knowingly collecting personal information form children under 13, without parental consent.

The company separately agreed to pay $92 million to settle class-action claims that it violated several data protection laws -- including the federal video privacy law and an Illinois law regarding biometric information.

That deal, accepted by U.S. District Court Judge John Lee in the Northern District of Illinois, also required the Chinese-owned TikTok to restrict data collection.

News of the potential fine abroad comes as the company continues to face scrutiny in the U.S. over claims that it transfers data to China. Buzzfeed reported earlier this year that China-based employees of TikTok parent company ByteDance accessed data about U.S. users of the service. TikTok subsequently said it is routing all U.S. traffic to Oracle servers, and plans to store all U.S. users' data in this country.

Soon after the Buzzfeed report, leaders of the Senate intelligence committee asked the Federal Trade Commission to launch an investigation.

Federal Communications Commissioner Brendan Carr also asked Apple and Google to remove TikTok from their app stores due to its "pattern of surreptitious data practices.

Separately, TikTok and the Biden administration have made progress in negotiations over conditions that could resolve some security concerns about the service, according to The New York Times.

The Times reports that the deal would involve TikTok changing its data security and governance, but also says negotiations are ongoing and that some administration officials are expressing concerns.